Apache Server configuration support

Author

Web Server Security

engineer10325

2007-06-10, 1:22 am

I'm about to put my 1st web server on the internet. It will have
sensitive information on it. So I'm looking for pointers to
information on how to secure a web server.

I'm also interested in understanding how the directories are secured.
I'm running an application that has a login screen, but I need to be
sure that you can't just go around the login page and drill down
directly into the directories - which does not seem to be the case
today.

Thanks in advance!

Davide Bianchi

2007-06-10, 1:22 am

On 2007-06-10, engineer10325 <engineer10325@yahoo.com> wrote:
> I'm about to put my 1st web server on the internet. It will have
> sensitive information on it. So I'm looking for pointers to
> information on how to secure a web server.

See http://httpd.apache.org/docs/1.3/mi...urity_tips.html

> I'm running an application that has a login screen, but I need to be
> sure that you can't just go around the login page and drill down

Then you need to debug carefully your application.

Davide

--
I'm suing a cigarette company because on the package they promised to
kill me, and yet here I am.
-- Kurt Vonnegut

shimmyshack

2007-06-10, 7:23 am

On Jun 10, 2:01 am, engineer10325 <engineer10...@yahoo.com> wrote:
> I'm about to put my 1st web server on the internet. It will have
> sensitive information on it. So I'm looking for pointers to
> information on how to secure a web server.
>
> I'm also interested in understanding how the directories are secured.
> I'm running an application that has a login screen, but I need to be
> sure that you can't just go around the login page and drill down
> directly into the directories - which does not seem to be the case
> today.
>
> Thanks in advance!

my advice is that if you are running a bought and paid for app, then
subscribe to their security alerts using your principle email, if you
are making your own, then don't put it out there until you have had it
looked over by someone with security experience, (unless the buck
stops with someone else!!)
sensitive info (whatever that means) should only be placed on the net
if you have the experience to secure it, and have conformed to the
relevant laws for your country for data protection if applicable.
Security for a webserver (and webapplication) is different from "home
security" no firewalls, no antivirus will help you, it is about
minimisation of exposed surface area, no matter if you have secured
all but one single seemingly minor flaw, a decent hacker will find
that flaw and use it to throw open the rest, and who would boast about
all but a single flaw?
anyway, my advice is unless you KNOW, don't.

kwan

2007-06-11, 7:22 pm

On Jun 10, 5:12 am, shimmyshack <matt.fa...@gmail.com> wrote:
> On Jun 10, 2:01 am, engineer10325 <engineer10...@yahoo.com> wrote:
>
>
>
>
> my advice is that if you are running a bought and paid for app, then
> subscribe to their security alerts using your principle email, if you
> are making your own, then don't put it out there until you have had it
> looked over by someone with security experience, (unless the buck
> stops with someone else!!)
> sensitive info (whatever that means) should only be placed on the net
> if you have the experience to secure it, and have conformed to the
> relevant laws for your country for data protection if applicable.
> Security for a webserver (and webapplication) is different from "home
> security" no firewalls, no antivirus will help you, it is about
> minimisation of exposed surface area, no matter if you have secured
> all but one single seemingly minor flaw, a decent hacker will find
> that flaw and use it to throw open the rest, and who would boast about
> all but a single flaw?
> anyway, my advice is unless you KNOW, don't.

You may interest in impletment suexec that I currently used on my new
webserver.